How do I make a local machine client certificate available to all users?

How do I make a local machine client certificate available to all users?

am 07.11.2006 14:03:06 von Assimalyst

Hi,

Using Windows Server 2003, i have set up a standalone certificate
using the certsrv tools.

When a client machine registers you can use the advanced form to 'Store
Certificate in Local Computer Certificate Store'.

This all works as intended when the client machine registers, but when
a user logs on to the site using IE6 they still are met with the 'The
page requires a client certificate' web page.

I know i can export the local machine store certificate and then import
per user through IE, but is there an easier way to do it? Ideally i
want all users on a particular machine to automatically use the local
computer stored certificate without need for individual IE install.

Thanks for your help.

Re: How do I make a local machine client certificate available to all users?

am 07.11.2006 21:36:40 von David Wang

What are you trying to accomplish?

Are you trying to install one client certificate on machine and have
all users logged into that machine automatically use that certificate
to make a SSL request to your server? Because if so, what you want is
very contrary to the whole security design of a client certificate.

The whole purpose of client certificate is proof of identity. If you
have multiple users that can use the same certificate, you might as
well not bother requiring client certificates in the first place.

Unless you are trying to enforce the requirement that only certain
machines with client certificates, used by anyone, can access your
server, but you can do that in other ways, like with IPSec.

So... can you please describe what you are actually trying to do?


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//




Assimalyst wrote:
> Hi,
>
> Using Windows Server 2003, i have set up a standalone certificate
> using the certsrv tools.
>
> When a client machine registers you can use the advanced form to 'Store
> Certificate in Local Computer Certificate Store'.
>
> This all works as intended when the client machine registers, but when
> a user logs on to the site using IE6 they still are met with the 'The
> page requires a client certificate' web page.
>
> I know i can export the local machine store certificate and then import
> per user through IE, but is there an easier way to do it? Ideally i
> want all users on a particular machine to automatically use the local
> computer stored certificate without need for individual IE install.
>
> Thanks for your help.

Re: How do I make a local machine client certificate available to all users?

am 08.11.2006 10:07:54 von Assimalyst

Hi David,

Thank you for your response.

Yes, the intention is to allow a machine access regardless of user, the
website has a user login to track that.

So it seems client certificates are not the way to go on this? I will
look into IPSec, but of course any further comments are always welcome.

Thanks again

David Wang wrote:
> What are you trying to accomplish?
>
> Are you trying to install one client certificate on machine and have
> all users logged into that machine automatically use that certificate
> to make a SSL request to your server? Because if so, what you want is
> very contrary to the whole security design of a client certificate.
>
> The whole purpose of client certificate is proof of identity. If you
> have multiple users that can use the same certificate, you might as
> well not bother requiring client certificates in the first place.
>
> Unless you are trying to enforce the requirement that only certain
> machines with client certificates, used by anyone, can access your
> server, but you can do that in other ways, like with IPSec.
>
> So... can you please describe what you are actually trying to do?
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
>
> Assimalyst wrote:
> > Hi,
> >
> > Using Windows Server 2003, i have set up a standalone certificate
> > using the certsrv tools.
> >
> > When a client machine registers you can use the advanced form to 'Store
> > Certificate in Local Computer Certificate Store'.
> >
> > This all works as intended when the client machine registers, but when
> > a user logs on to the site using IE6 they still are met with the 'The
> > page requires a client certificate' web page.
> >
> > I know i can export the local machine store certificate and then import
> > per user through IE, but is there an easier way to do it? Ideally i
> > want all users on a particular machine to automatically use the local
> > computer stored certificate without need for individual IE install.
> >
> > Thanks for your help.

Re: How do I make a local machine client certificate available to all users?

am 08.11.2006 10:51:52 von Assimalyst

I will elaborate on the situation as i am still a little unclear on the
bets course of action.

I have Windows server 2003 SP1 running a website. I want to allow only
specific machines to access this website over the internet. They will
likely originate from 1 or 2 IP addresses, belonging to bureau of
machines, where users may be using different machines within the bureau
day to day.

Ideally i would like to be able to track which machines are logged on,
and which user is logged on with that machine. I can track users
through the website, but am not so sure how to track the machine.

I thought by using client certificates that the machine could be
tracked, but the certificate is installed on a per user basis. I found
i was able to install on the local machine certificate store, but the
certificate still needed to be installed per user for them to gain
access to the website.

Any comments would be much appreciated.

Assimalyst wrote:
> Hi David,
>
> Thank you for your response.
>
> Yes, the intention is to allow a machine access regardless of user, the
> website has a user login to track that.
>
> So it seems client certificates are not the way to go on this? I will
> look into IPSec, but of course any further comments are always welcome.
>
> Thanks again
>
> David Wang wrote:
> > What are you trying to accomplish?
> >
> > Are you trying to install one client certificate on machine and have
> > all users logged into that machine automatically use that certificate
> > to make a SSL request to your server? Because if so, what you want is
> > very contrary to the whole security design of a client certificate.
> >
> > The whole purpose of client certificate is proof of identity. If you
> > have multiple users that can use the same certificate, you might as
> > well not bother requiring client certificates in the first place.
> >
> > Unless you are trying to enforce the requirement that only certain
> > machines with client certificates, used by anyone, can access your
> > server, but you can do that in other ways, like with IPSec.
> >
> > So... can you please describe what you are actually trying to do?
> >
> >
> > //David
> > http://w3-4u.blogspot.com
> > http://blogs.msdn.com/David.Wang
> > //
> >
> >
> >
> >
> > Assimalyst wrote:
> > > Hi,
> > >
> > > Using Windows Server 2003, i have set up a standalone certificate
> > > using the certsrv tools.
> > >
> > > When a client machine registers you can use the advanced form to 'Store
> > > Certificate in Local Computer Certificate Store'.
> > >
> > > This all works as intended when the client machine registers, but when
> > > a user logs on to the site using IE6 they still are met with the 'The
> > > page requires a client certificate' web page.
> > >
> > > I know i can export the local machine store certificate and then import
> > > per user through IE, but is there an easier way to do it? Ideally i
> > > want all users on a particular machine to automatically use the local
> > > computer stored certificate without need for individual IE install.
> > >
> > > Thanks for your help.

Re: How do I make a local machine client certificate available to all users?

am 08.11.2006 11:51:51 von Assimalyst

I have just found out the client machines operate from a DHCP server. I
presume then that IPSec will not work in this instance?

Thanks

Assimalyst wrote:
> I will elaborate on the situation as i am still a little unclear on the
> bets course of action.
>
> I have Windows server 2003 SP1 running a website. I want to allow only
> specific machines to access this website over the internet. They will
> likely originate from 1 or 2 IP addresses, belonging to bureau of
> machines, where users may be using different machines within the bureau
> day to day.
>
> Ideally i would like to be able to track which machines are logged on,
> and which user is logged on with that machine. I can track users
> through the website, but am not so sure how to track the machine.
>
> I thought by using client certificates that the machine could be
> tracked, but the certificate is installed on a per user basis. I found
> i was able to install on the local machine certificate store, but the
> certificate still needed to be installed per user for them to gain
> access to the website.
>
> Any comments would be much appreciated.
>
> Assimalyst wrote:
> > Hi David,
> >
> > Thank you for your response.
> >
> > Yes, the intention is to allow a machine access regardless of user, the
> > website has a user login to track that.
> >
> > So it seems client certificates are not the way to go on this? I will
> > look into IPSec, but of course any further comments are always welcome.
> >
> > Thanks again
> >
> > David Wang wrote:
> > > What are you trying to accomplish?
> > >
> > > Are you trying to install one client certificate on machine and have
> > > all users logged into that machine automatically use that certificate
> > > to make a SSL request to your server? Because if so, what you want is
> > > very contrary to the whole security design of a client certificate.
> > >
> > > The whole purpose of client certificate is proof of identity. If you
> > > have multiple users that can use the same certificate, you might as
> > > well not bother requiring client certificates in the first place.
> > >
> > > Unless you are trying to enforce the requirement that only certain
> > > machines with client certificates, used by anyone, can access your
> > > server, but you can do that in other ways, like with IPSec.
> > >
> > > So... can you please describe what you are actually trying to do?
> > >
> > >
> > > //David
> > > http://w3-4u.blogspot.com
> > > http://blogs.msdn.com/David.Wang
> > > //
> > >
> > >
> > >
> > >
> > > Assimalyst wrote:
> > > > Hi,
> > > >
> > > > Using Windows Server 2003, i have set up a standalone certificate
> > > > using the certsrv tools.
> > > >
> > > > When a client machine registers you can use the advanced form to 'Store
> > > > Certificate in Local Computer Certificate Store'.
> > > >
> > > > This all works as intended when the client machine registers, but when
> > > > a user logs on to the site using IE6 they still are met with the 'The
> > > > page requires a client certificate' web page.
> > > >
> > > > I know i can export the local machine store certificate and then import
> > > > per user through IE, but is there an easier way to do it? Ideally i
> > > > want all users on a particular machine to automatically use the local
> > > > computer stored certificate without need for individual IE install.
> > > >
> > > > Thanks for your help.

Re: How do I make a local machine client certificate available to all users?

am 08.11.2006 13:10:28 von David Wang

It sounds like your client machines are Intranet machines which access
the Internet through a common Proxy, which then authenticate and access
your server machine.

>From a networking perspective, that Proxy intentionally masks the
internal IP of the client machines from your server machine and is the
only one that knows how to map between the two. So, the only way for
your server machine to know the client machine is if the client
intentionally discloses its identity to the server. You were thinking
of using machine-specific client certificates sent by the browser of
that machine for all users, but that dream runs contrary to how reality
works. An easy, proprietary approach would be for the client
authentication protocol to also disclose the internal IP to the server,
in the same way that it discloses the username.

As for restricting access to your server - you can only restrict it to
the IP of the Proxy using built-in IP Restriction of IIS or IPSec. If
you want to restrict based on internal IP at the Bureaus, then you need
to write your own proprietary code to retrieve the internal IP
disclosed via the proprietary authentication protocol.

All of this would be easy to do with built-in Windows functionality if
the machines are "local" to each other. It is hard because the Proxy
used at the Bureaus obscures the internal client machine's IP
(by-design), so using standard tools, you can only approximate
authentication based on the IP of the Proxy.



//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



Assimalyst wrote:
> I have just found out the client machines operate from a DHCP server. I
> presume then that IPSec will not work in this instance?
>
> Thanks
>
> Assimalyst wrote:
> > I will elaborate on the situation as i am still a little unclear on the
> > bets course of action.
> >
> > I have Windows server 2003 SP1 running a website. I want to allow only
> > specific machines to access this website over the internet. They will
> > likely originate from 1 or 2 IP addresses, belonging to bureau of
> > machines, where users may be using different machines within the bureau
> > day to day.
> >
> > Ideally i would like to be able to track which machines are logged on,
> > and which user is logged on with that machine. I can track users
> > through the website, but am not so sure how to track the machine.
> >
> > I thought by using client certificates that the machine could be
> > tracked, but the certificate is installed on a per user basis. I found
> > i was able to install on the local machine certificate store, but the
> > certificate still needed to be installed per user for them to gain
> > access to the website.
> >
> > Any comments would be much appreciated.
> >
> > Assimalyst wrote:
> > > Hi David,
> > >
> > > Thank you for your response.
> > >
> > > Yes, the intention is to allow a machine access regardless of user, the
> > > website has a user login to track that.
> > >
> > > So it seems client certificates are not the way to go on this? I will
> > > look into IPSec, but of course any further comments are always welcome.
> > >
> > > Thanks again
> > >
> > > David Wang wrote:
> > > > What are you trying to accomplish?
> > > >
> > > > Are you trying to install one client certificate on machine and have
> > > > all users logged into that machine automatically use that certificate
> > > > to make a SSL request to your server? Because if so, what you want is
> > > > very contrary to the whole security design of a client certificate.
> > > >
> > > > The whole purpose of client certificate is proof of identity. If you
> > > > have multiple users that can use the same certificate, you might as
> > > > well not bother requiring client certificates in the first place.
> > > >
> > > > Unless you are trying to enforce the requirement that only certain
> > > > machines with client certificates, used by anyone, can access your
> > > > server, but you can do that in other ways, like with IPSec.
> > > >
> > > > So... can you please describe what you are actually trying to do?
> > > >
> > > >
> > > > //David
> > > > http://w3-4u.blogspot.com
> > > > http://blogs.msdn.com/David.Wang
> > > > //
> > > >
> > > >
> > > >
> > > >
> > > > Assimalyst wrote:
> > > > > Hi,
> > > > >
> > > > > Using Windows Server 2003, i have set up a standalone certificate
> > > > > using the certsrv tools.
> > > > >
> > > > > When a client machine registers you can use the advanced form to 'Store
> > > > > Certificate in Local Computer Certificate Store'.
> > > > >
> > > > > This all works as intended when the client machine registers, but when
> > > > > a user logs on to the site using IE6 they still are met with the 'The
> > > > > page requires a client certificate' web page.
> > > > >
> > > > > I know i can export the local machine store certificate and then import
> > > > > per user through IE, but is there an easier way to do it? Ideally i
> > > > > want all users on a particular machine to automatically use the local
> > > > > computer stored certificate without need for individual IE install.
> > > > >
> > > > > Thanks for your help.